Pages

Saturday, February 4, 2012

Parental Controls and the Kindle Fire

The Kindle Fire is Amazon's first foray into the world of tablets running the Google Android operating system. Many tech people have classified the Fire as an e-reader device, but that's not strictly true. Most of today's e-reader devices (such as all of the other Kindles, all of the Sony devices, the original Nook and the Simple Touch, and most of the others) use some form of electronic ink display, while the Fire uses a tablet-standard LED-backlit LCD screen. To me, that difference, coupled with the Fire's faster dual-core CPU and multimedia capabilities, makes the Fire a tablet, not an e-reader.

Esoterica aside, the Fire is by all accounts a great device for just $200. It certainly isn't the fastest tablet, nor does it have the most memory or storage or the largest screen of all the tablets, but you get a lot more bang for your tech dollar than you get from a lot of other devices.

Amazon's main marketing ploy with the Fire has been to extol the virtues of the tablet's Silk web browser. It uses AWS, Amazon Web Services, which runs on Amazon's gargantuan Elastic Compute Cloud, or EC2. EC2 is a huge distributed server cluster which can be used as a supercomputer for scientific computations, or as a high-availability host for business or personal services with practically zero downtime. Anyone can purchase time and space on EC2 and use it for practically anything legal.

Silk uses AWS as an enormous caching web proxy system. A Fire using the Silk browser sends a request for a web page to AWS, which then downloads all of the page's content, converts it to a form more easily digested by the Fire's somewhat limited hardware capabilities, and sends that rendered data to the requesting Fire for display. AWS also keeps a copy of all of the resources used (images, ad content, etc.) so that other Fires browsing that same page later are served those cached items, which dramatically increases browser performance. This sounds great on paper, but there is, I believe, a significant problem with this approach which may be of interest to those parents who have purchased Fires for their children as Christmas or birthday gifts. However, describing the nature of this problem will first require some explanation on the inner workings of DNS.

(Note: this will be a fairly long article, but stick with me; I think it'll be worth it.)

DNS is the Domain Name System, a critical component of the Internet as we know it today. Without DNS, the Internet would still be the sole domain of educational facilities and government agencies, while the rest of us would still be stuck with CompuServe, Prodigy, and AOL. All of the servers we access on the Internet use a series of numbers known as IP addresses. You've probably seen these; they look like "192.168.1.1". These are great for computers and for the über-geeks among us (such as myself), but they don't work so well for Joe Blow. Imagine if you had to keep track of the IP addresses for all of the websites you use daily, and you'll see that it would be difficult, if not impossible, to use the Internet at all.

DNS allows us mere humans to use words to refer to our favorite websites. When you type "www.google.com" into your browser, your computer sends a request to the nearest DNS server, which is usually maintained by your ISP, for the IP address which corresponds to the domain name you typed in. That DNS server either knows what the IP address is and returns it to the browser (one of the addresses I got for Google was 74.125.115.147), or it contacts another DNS server which does. You see, DNS is a hierarchical system, meaning that not every DNS server has to know every IP address on the internet; each DNS server knows a whole bunch of IP adresses, but each also knows of a bunch of other DNS servers that it can contact for addresses it doesn't know. Then it can cache that address for quicker future use. There are mechanisms for making sure the DNS address cache doesn't get stale, and ways to use DNS for server load balancing and other things to help speed up streaming media and much more, but those are outside the scope of this post. We just need to deal with the basic names-to-numbers translation function of DNS.

Many parents these days are concerned about their children (or even themselves) coming across websites with inappropriate content of one form or another. Many families use filtering software such as Net Nanny or CyberCop, and on the face they're a good idea; however, I personally don't like this approach for several technical reasons. For one thing, if you have more than one computer in the house, you have to purchase a license for each computer. Secondly, in order for this kind of software to do what it does, it has to dig deep into the networking portions of your computer's operating system. If the OS developer has to update any part of that code, it can render locally-installed filter software non-functional. Alternately, if the filter software has bugs, it can render your network connection completely useless, possibly requiring a complete system reinstall to repair (I've had to do a couple of these for this very reason. Very much not a desired outcome). Thirdly, it's hard to find this type of application for the current crop of tablet and smartphone devices.

The solution for these problems is OpenDNS (http://www.opendns.com). It has free and for-purchase options, but all levels of service include configurable, categorized content filtering for your home or company network, without having to install any software. And as a nice encore, OpenDNS usually makes your browsing experience faster than before (see the site for a better explanation of this). You simply sign up for a free or paid account, choose the types of content you want to allow or block, follow their instructions to modify your Internet router's configuration (which is easier than it sounds, I promise), and you're done. No software to install anywhere, and you instantly protect every device which uses your broadband Internet connection. Even better, it instantly protects you from the average Joe who pulls up to the curb outside your house and tries to "borrow" your connection. Of course, there are ways to get around it, but there are also ways to make it more difficult to get around.

Here's how OpenDNS works: instead of your ISP's DNS servers, you'll use OpenDNS's. After you have your router properly configured, it will forward all DNS requests to OpenDNS's servers instead of your ISP's. They match up your router's IP address with your user account, check their database for the sites you have allowed or blocked, and either let you browse the site or return a descriptive error message as a web page. So, what does this have to do with the Kindle Fire's Silk web browser?

Well, to put it simply, in it's factory-default configuration, Silk bypasses your router's DNS settings. If you use OpenDNS, as I do, you'll find that your Fire can browse sites that you have blocked in your OpenDNS configuration. This is because by default, Silk only uses your DNS server to look up the address for AWS (and it may not even do that; it may have all the AWS IP addresses encoded directly into the browser, which would skip the DNS step entirely); all subsequent communications occur directly with AWS. This means that it is Amazon's DNS servers which are performing the translation from domain name to IP address, allowing your Fire to get to Playboy, Match.com, or any other site you don't want your kids or your husband to access!

Thankfully, there is a solution, though it isn't perfect (but I think you'll be able to live with the tradeoff). When my friend Tommy first discovered that the Fire he had just bought his wife could browse sites which he had blocked via OpenDNS, he asked me about it. I almost immediately recognized the problem, and quickly found that this default acceleration behavior can be disabled; this will noticeably slow down the Fire's browsing experience, but it will allow your OpenDNS configuration to protect all the Fires using your connection just like all your other devices. Here's what you have to do:

Open your Fire's Silk browser and bring up the settings screen. Under the "Advanced" section at the bottom of the settings page, uncheck "Accelerate page loading". You're done!I hope you've stayed with me through this article, especially if you or someone in your household has a Kindle Fire, and you use OpenDNS to filter your network's browsing content (which I cannot recommend strongly enough. It's free for the basic service, you don't have to install anything, it's easy to configure and update when your connection's IP address changes, and It Just Works (TM)!). In the interest of full disclosure, I am not an employee of OpenDNS, nor am I trying to advertise for them. They are simply the only company I know of who is providing a service that I think is a much better way of filtering web content than the traditional software solutions which have been available for years (and I've been using them for a few years myself).

Two more things I want to mention. First, there is a small possibility that there is a way to have both accelerated web browsing and OpenDNS filtering on the Fire, and I will try to investigate further as soon as I can get my hands on a Fire for some experimentation. Finally, OpenDNS is only effective where you can control the network; it isn't very likely that you'll find it in use at your local Starbucks or other public WiFi hotspots (though I can tell you the church I attend has been using it for some time). In the meantime, I hope this information has been useful to you. Thanks for reading!

P.S.: you might be interested to know that I composed this entire post on my Android tablet using Evernote and the tablet's built-in virtual on-screen keyboard (and it was rather slow-going, as you might imagine), though final proofing, tweaking, and publishing was done from a real computer with a real keyboard.